Debugging/Fixing Sun Calendar Permissions

1. SSH to your calendar server
2. cd to the calendar server /bin directory (for Luminis this is $CP_ROOT/products/SUNWics5/cal/bin)
3. use the cscal utility to query the trouble user. ex ./cscal -v list jpseudo
4. in the out put you get you'll see a line called 'aces' it will look something like:
   PLAIN TEXT
   CODE:

   1. aces=@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g

5. This is the access control list or ACL, it is obviously very hard to read. I use EditPlus to do a regular expression find (;) and replace (;\n) on the permissions to clean it up a bit.
6. Now it reads:
   @@o^c^WDEIC^g;
@@o^a^RSF^g;
someuser^a^rsf^g;
someuser^c^^g;
anotheruser^a^rsf^g;
anotheruser^c^wd^g;
someoneelse^a^rsf^g;
someoneelse^c^^g;
@^a^^g;
@^c^^g;
someuser^p^r^g;
anotheruser^p^r^g;
someoneelse^p^r^g
7. Now for a brief aside explaining these individual permissions called access control entries or ACEs...
   The ACE consists of four distinct elements separated by a caret (^):
   • Who - the user or type of user the permission applies to. Valid entries are:
     • username
     • @@o - all owners
     • @@p - primary owner
     • @@n - not an owner
     • @ - anyone
   • What - the thing being accessed. Valid entries here are:
     • c - calendar component, events or tasks
     • p - calendar properties such as name description owners and so forth
     • a - entire calendar including components and properties
   • How - what actions are permitted. Valid entries are:
     • r - read
     • w - write
     • d - delete
     • s - schedule or invite
     • f - free/busy or availability
     • e - accept or decline invitations
     • i - send invites for events on the calendar
     • c - cancel
   • Grant - this determines whether or not the ACE is a grant (g) or deny (d)

   Now that we have a clue what these ACEs actually represent, how do we go about finding a problem?

8. If the issue is about a single user experiencing trouble with the jpseudo's calendar, then extract only the ACEs that apply to that user or apply globally. If instead it is a generalized issue, eliminate all user specific ACEs and only look at global ones. Either way you should be able to drastically reduce the number of rules you are looking at.
9. If this issue is the example originally given where the user's calendar cannot be seen by any users, then we are looking for a permission like @^p^r^g; or something similar. If the problem is not readily apparent, it is often useful to compare another user who you know works against this problem user.
10. Now it is time to modify the permissions. More specific entries should be ordered first, this allows them to override entries that come later.
11. Once you have the entries ordered properly, the command you need to execute will look something like this:
    PLAIN TEXT
    CODE:

    1. ./cscal -a "@@o^c^WDEIC^g;@@o^a^RSF^g;someuser^a^rsf^g;someuser^c^^g;anotheruser^a^rsf^g;anotheruser^c^wd^g;someoneelse^a^rsf^g;someoneelse^c^^g;@^a^^g;@^c^^g;someuser^p^r^g;anotheruser^p^r^g;someoneelse^p^r^g;@^p^r^g" modify jpseudo

12. Hopefully the change you made succeeds and life is good, if not, rinse and repeat!

2 Responses to “Debugging/Fixing Sun Calendar Permissions”

1. Cliff on July 11th, 2006 12:27 am

   Hi, I am Cliff from EditGrid. I would like to invite you to try our online spreadsheet product EditGrid beta 7. We allows user to post their spreadsheet on blog, hope you would like it.

2. Bramer on December 7th, 2006 9:24 am

   More:

   Change Owner of calendar:
   ./cscal -o new_owner modify calid

   Remove ‘other owners’:
   ./cscal -y “” modify calid

Got something to say?

• hannah montana